- The Growing Cost of Non-Compliance and the Need for Security-First Solutions
- The Art of Delegation in a Digital Age: Empowering Teams, Not Just Offloading Tasks
- I compared two of the best Roborock models on the market - and it came down to the wire
- I found the smartest (and cheapest) way to protect your laptop's charging port
- I discovered the hidden benefit of E Ink tablets, and this study proves it
NVD Revamps Operations as Vulnerability Reporting Surges
After a tumultuous year marked by internal turmoil and a mounting vulnerability backlog, the National Vulnerability Database (NVD) team within the US National Institute of Standards and Technology (NIST) has finally stabilized.
However, the NVD is now facing a new challenge: a surge in vulnerability reporting that has sent its backlog soaring, threatening to outpace the team’s revitalized efforts.
Tanya Brewer, the NVD Program Manager, and Matthew Scholl, Chief of the Computer Security Division at NIST, shared some of NVD’s latest updates on April 10, the final day of VulnCon, an event dedicated to vulnerability management in Raleigh, North Carolina.
They announced several improvements in how the NVD processes vulnerabilities and said they were working on new strategies to catch up with the backlog, including automating more data analysis tasks and exploring AI-powered methods to assist them.
NVD Overcomes Staffing Issues, Boosts CVE Processing
After a year of internal issues due to a contract that supported the work of the NVD ending in early 2024, the team responsible for adding and enriching vulnerabilities (CVEs) to the NVD is now working at full speed, Brewer announced.
In June 2024, NIST extended a commercial contract with an outside consultancy to help resolve the vulnerability backlog.
“[After that,] there was a long period of onboarding a whole new team [after the previous team had to leave due to the previous contract ending], with people going on maternity leave and other challenges, but we are now surpassing the work rate we had before our hiccup,” Brewer said.
A graph displayed to the VulnCon audience supporting Brewer’s speech showed that there were almost no CVEs processed between March and May 2024. In May and June 2024, there was a monthly processing rate well below 2000 CVEs.
However, CVE processing by the NVD team picked up again from August, showing a rate of between 2000 and 3000 CVEs processed monthly – comparable to the pre-March 2024 rate.
In 2025, the NVD team showed an even higher processing rate, with around 3000 CVEs processed per month.
Speaking to Infosecurity after the VulnCon session, Scholl confirmed that “the whole new team has now been onboarded, trained and is now up and running, back to what we call a full complement team.”
While he did not confirm how many people are now working in the NVD team, he said the team encompasses:
- A full set of analysts working on data enrichment
- A full set of developers working on supporting the data collection and analysis processes
- New people helping with standards specificities and governance
Additionally, while Scholl acknowledged during the VulnCon session the will of the Trump administration to work more efficiently across all US federal agencies, he told Infosecurity the NVD team does not fear future cuts.
“We’ve been assured by NIST that the NVD is a priority and that the agency will make sure the NVD program is resourced as such,” he added.
NVD Scraps Consortium Plans
Brewer and Scholl also confirmed that the creation of a consortium to support the NVD via a Cooperative research and development agreement (CRADA), mentioned in a March 2024 update, had been dropped as it required too much administrivia and was deemed too cumbersome and “labor-intensive.”
The NVD will instead prioritize engaging with the vulnerability management community and the private sector through informal channels.
NVD’s Vulnerability Backlog Keeps Growing
Despite these efforts to build back the NVD team, Brewer admitted that the vulnerability backlog has continued growing at a rapid pace.
The chart previously mentioned also showed that in March 2025 the NVD reached 25,000 unprocessed CVEs, up from around 17,000 in August 2024. Despite efforts to analyse more CVEs every month and improvements since the March 2024 pause in NVD operations, the vulnerability backlog continues to increase.
This is mainly due to an explosion in CVE reporting, with the NVD observing a 32% growth in CVE submissions in 2024.
Additionally, a recent report by Jerry Gamblin, Principal Engineer at Cisco, estimated a 48% year-over-year growth in CVE publications in March 2025.
“Our processing rate is no longer sufficient to keep up with incoming submissions. As a result, the backlog is still growing,” Brewer said.
NVD’s Ongoing Efforts to Beat the Vulnerability Backlog
Pre-2018 CVEs No Longer Prioritized
The NVD has employed various strategies to catch up with the growing vulnerability backlog.
In an April 2 update, the NVD announced that all CVEs with a published date before 01/01/2018 that are awaiting further enrichment will be marked as ‘Deferred’ within the NVD dataset.
This means the NVD team will no longer prioritize updating their enrichment data due to the CVE’s age.
“We will continue to accept and review requests to update the metadata provided for these CVE records,” the update read.
“Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow. In addition, we will prioritize any CVEs that are added to the known exploited vulnerabilities (KEV) regardless of status.”
Speaking to Infosecurity, Brewer clarified that many of the requests for pre-2018 CVEs are minor changes, such as a link modification or requests to move a link from one place to another within the CVE entry.
“Honestly, it’s just not feasible to conduct further enrichment for CVEs older than seven years. It’s a big resource sink for us, with very little return since most of the affected products are already out of the market,” she said.
Gap Filling Strategy
For existing post-2018 CVEs, Brewer confirmed that the NVD team will temporarily adopt a gap-filling strategy over its traditional CVE enrichment approach.
This means the NVD analysts will prioritize adding enrichment data provided by the CVE Numbering Authorities (CNAs) when available rather than enriching each CVE from scratch.
Brewer told Infosecurity that although the strategy is officially temporary, there is a possibility that it will become permanent.
“However, we are also aware that many CVE records are either incomplete or full of inconsistencies. So, in a year, we may decide that the quality of CVE records we’re adding coming from CNAs is satisfactory, but we may also choose to revert back to our traditional CVE processing strategy,” she said.
Exploring AI-Powered CPE Data Automation
To support with this new strategy, Chris Turner, part of the NVD team and a board member in the CVE program, has been building an automation tool for Common Platform Enumeration (CPE) data.
CPE data is a standardized way to identify and describe IT products, such as applications, software, operating systems (OS) and hardware that is widely used by vulnerability management professionals.
Speaking to Infosecurity, Brewer explained: “This tool uses data from the CVE list to start the process of generating CPE data automatically for CVE records.”
This tool could use machine learning algorithms for data identification, collection and processing.
Additionally, the NVD is working on overhauling their CPE console and could make it available for all CNAs in the future.
Automating Linux Kernel CVE Data Processing
After noticing that many CVE additions over the past year and a half were Linux kernel CVEs, the NVD also decided to work on a proof-of-concept to explore AI-powered tools for automating the data collection and processing of these requests.
“Those entries are filled out and formatted in ways that allow us to do machine learning analysis and parsing,” Brewer told Infosecurity.
These automation tasks could include the selection of the relevant Common Weaknesses and Enumeration (CWE) entries or the Common Vulnerability Severity Score (CVSS) for each Linux kernel CVE, for instance.
Finally, Brewer shared additional internal and external improvements, which include:
- An overhauled internal vulnerability console
- An updated NVD search engine, allowing users to search by CNA and Authorized Data Publisher (ADP)
- A revamped NVD vulnerability application programmable interface (API)
- An updated NIST Vulnerability Data Ontology (Vulntology), a formal representation of knowledge about vulnerabilities, providing a structured framework for describing and analyzing vulnerability data.
Vulnerability Experts Regret a “Missed Opportunity” to Answer More Questions
Many experts in the vulnerability community have complained about the NVD’s lack of transparency and infrequent public communication.
While the VulnCon session answered some questions, members of the vulnerability management community, such as Brian Martin, author of the Jericho blog and vulnerability watchdog, and Jeroen Braak, Security Solutions Sales at Flexera, said they were frustrated that the session lasted only 30 minutes.
“They did a 30-minute session, but they knew there would be an hour of questions,” Martin told Infosecurity.
“For a community that’s been raising valid concerns and waiting for answers, this feels like a missed opportunity,” Braak said in a LinkedIn post.
Responding to this criticism, Scholl told Infosecurity, “Anyone can reach out to us at any time. We do talk to the community often, but it is a large community, so we try to do it at scale, at conferences like VulnCon or our own events. I can understand the frustrations of some, and that may feel we don’t do enough on a one-on-one basis.”
“Sometimes, we can disagree and need to work out a consensus together, but we certainly don’t turn people away when they come and want to engage and talk to us,” he added.
Way Forward? Diversification of Vulnerability Data Sources
Since the NVD’s previous updates on March 19 and April 2, voices in the vulnerability community have emphasized the need for diversifying CVE data sources in light of the continuing issues at the NVD.
On April 4, Sarah Gooding, Head of Content Marketing at software supply chain security company Socket, wrote a post in which she recommended security teams to diversify their feeds with other sources, such as CVE.org, vendor advisories, CISA KEV, OSV.dev, ExploitDB and others.
“If organizations look at multiple places and sources and more people start providing more vulnerability data for others in the community to build on and extend their knowledge, it might actually not be a bad thing,” Scholl responded.
